At this week’s Symposium on Security for Asia Network (SyScan) in Singapore, security engineers Charlie Miller and Chris Valasek will highlight how fellow car hackers can research automotive electronic control units (ECUs) without needing to buy and dismantle a car. The researchers have even rigged a go-cart rigged with ECUs for testing purposes. The vehicle pictured has rearview camera, satellite radio, Bluetooth, GPS navigation and power steering.
Image courtesy of Charlie Miller.

When your home computer is hacked, the things at risk are your identity, finances and other digital assets. A cyber attack that can take control of your car—especially while you’re driving—raises the stakes considerably. As carmakers transform their vehicles into networked computers on wheels, concern has grown about hacker attacks on automobile systems and the seriousness of the threat.

Computer scientists have in recent years demonstrated the ability to remotely unlock car doors, start or stop an engine and even tamper with brakes. Fortunately, despite those demonstrations, “right now it’s extremely hard to compromise a car’s computer systems,” acknowledges Charlie Miller, a security engineer at Twitter. Miller has spent quite a bit of time in recent years working with Chris Valasek, director of security intelligence at IOActive, probing automobiles for security vulnerabilities. “It takes a lot of time, resources and technological expertise, but at the same time it’s possible.”

That possibility is not good news for car companies that want to build interfaces into their vehicles so they can communicate with one another as well as sensors built into traffic signals, roads and other infrastructure. Automobiles have already become sophisticated networks controlled by dozens of computers—called electronic control units (ECUs)—that manage critical, real-time systems such as steering, air-bag deployment and braking as well as less critical components including the ignition, lights and “infotainment” console. Software, sometimes consisting of up to 100 million lines of code, tells these ECUs what to do and when to do it. Carmakers connect multiple ECUs together within the vehicle using an internal communications network known as a controller area network (CAN).

Car hackers
Miller and Valasek are perhaps best known for a presentation at last summer’s Defcon hacker conference in Las Vegas that described in detail how they used a MacBook to take control of ECUs in a Toyota Prius and a Ford Escape, both model year 2010. The researchers connected their laptop via a cable to each car’s data port to fool the vehicles’ computers into taking any number of inappropriate actions while on the road—such as braking suddenly at high speed and steering into oncoming traffic.

The researchers’ laboratories on wheels came courtesy of more than $80,000 in funding from the Defense Advanced Research Projects Agency’s (DARPA) Cyber Fast Track program. Not all cybersecurity researchers have a car they can sacrifice in the name of science, of course—which is why Miller and Valasek have spent the past several months developing a presentation that demonstrates car hacking on the cheap. At this week’s Symposium on Security for Asia Network (SyScan) in Singapore, they will explain how others can buy individual ECUs and hook them up to create a simulated in-car computer network. The SyScan talk “goes into detail on how to get into car hacking even without a car,” Miller says. “If we have enough smart people looking at it, we can find problems and have discussions” about how to improve automotive computer security.

Firewall on the go
Miller and Valasek have taken the long view to this point. They find security flaws they hope carmakers will address as they design new vehicles, a process that takes years. For the near term, the researchers have created a prototype plug-in automotive firewall to identify and stop potentially malicious network traffic entering and traveling between a car’s computers. The firewall connects to a car via its on-board diagnostic system (OBD–II) port, but Miller says the device could potentially be wired into the car elsewhere or built directly into an ECU.

“When the car detects a network attack, it could do something as drastic as shut down the car’s computer network, or it could simply turn on the engine light to signal to the driver that there’s a problem,” Miller says. If the car’s network were shut down, the driver might lose power steering or antilock brakes as well as more sophisticated systems that signal when the vehicle is drifting out of its lane. However, a motorist would still be able to steer to the side of the road and stop. Miller and Valasek plan to provide more detail about the project at this summer’s Defcon conference.

Other attacks
Miller and Valasek’s work is part of a much larger body of research to probe whether increasingly connected cars are likewise increasingly vulnerable to cyber attacks.

At last week’s Black Hat Asia hacker conference in Singapore, researchers Alberto Garcia Illera and Javier Vazquez Vidal demonstrated a two-stage attack. Using a custom-made plug-in device, they first gather data from a car’s computers. Then they manipulate this data to prevent the driver from being able to control the vehicle. “So it's basically as if two people are talking, and suddenly we cover the mouth of one of them and start speaking for him, so he is no longer taking part [in] the conversation, and we take over his identity,” Vidal says. Illera and Vidal were able to do their research with the help of a tool they made for less than $25.

More disconcerting are efforts to break into car computers wirelessly. In March 2011, Stefan Savage, a University of California, San Diego computer science professor, and Tadayoshi Kohno, an associate computer science and engineering professor at the University of Washington in Seattle, described their efforts to insert malicious software into a car’s computer system using the vehicle’s Bluetooth and cell phone connections. Such an attack could enable an intruder to use a mobile phone to unlock car doors and start the engine remotely. This experiment followed earlier U.C. San Diego and University of Washington efforts—similar to those of Miller and Valasek—using a laptop plugged into the OBD–II port under a test car's dashboard to take control of its ECUs. Among other things, the OBD-II system was able to disable the brakes, selectively brake individual wheels on demand, and stop the engine—all independent of the driver's efforts (pdf).

Researchers from iSEC Partners (a San Francisco-based security firm) in August 2011 likewise claimed to have wirelessly broken into a 1998 Subaru Outback using their PC. In less than 60 seconds, they found the car’s security system module, bypassed it and started the engine. They could hack into a securely locked car because its alarm relied on a cell phone or satellite network that could receive commands via text messaging. Devices connecting via a cellular or satellite network are assigned the equivalent of a phone number or Web address. If hackers can figure out the number or address for a particular car, according to iSEC, they could use a PC to send commands via text messages that instruct the car to disarm, unlock and start. The researchers at the time acknowledged that stealing a particular car would be difficult because a thief would have to know that car’s number or address, neither of which are easy to find.

Countermeasures
Each of these experiments shares a common characteristic—a controlled environment in which to create chaos, as opposed to attacks on random vehicles on the road.

Still, car companies and government agencies insist they are taking automotive cybersecurity threats seriously. General Motors and Toyota claim to be working on the problem, whether it’s testing their vehicles against wireless attacks, encrypting network data or working with groups like SAE International to develop industry-wide security standards. Ford also has a cybersecurity team that is ready to respond to reports of malicious hacking of its vehicles, according to Don Butler, executive director of Connected Vehicles and Services.

The U.S. National Highway Traffic Safety Administration (NHTSA), meanwhile, created its Electronic Systems Safety Division in 2011 to monitor existing computerized capabilities—such as stability control, adaptive cruise control and automated lane centering—as well as emerging technologies that make automobiles increasingly autonomous. The division’s responsibilities include the development of research to address, among other things, “on-board tamper-proofing, hacking, and malicious external control,” according to the NHTSA.

Vidal is encouraged by the response he’s seen within the automotive industry. “The average [driver] should not panic but know that the security in vehicles is being taken into consideration in order to improve it,” he says. “Companies are really working on it, and it is improving at incredible speed.”

Miller, however, says he and Valasek haven’t received much direct input from either the government or carmakers as a result of last year’s Defcon demo. That’s not unusual—he doesn’t hear from Apple either when he reports bugs in its iPhone software—but he hopes the silence isn’t a sign that his and other security research is being dismissed. Miller points out that cyber attackers have found ways to defeat firewalls and encryption meant to protect ordinary computers and that they could eventually do the same thing with a car’s embedded systems.

“We might not see anything like this for a while,” Miller adds, “But it’s better to start thinking about it now.”